Securing the ERP Overview: Is Your ERP Safe? - KPMG · Empower Employees Unrelenting ... Each phase...

Overview

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved.

1

Are you prepared to deal with the exposures associated with an Oracle ERP related breach?

“ ”


2

Is your current Oracle ERP security & controls solution impeding the performance of your organization?

“ ”


3

Does your legacy Oracle ERP security & controls solution

support today’s dynamic, global operational requirements?

“ ”


4

Does your Oracle ERP security & controls solution provide a cost effective platform to support regulatory compliance requirements?

“ ”

Oracle ERP Security & Controls Challenge

How do you effectively and efficiently balance user enablement with transaction & data protection?

Mobile

Cloud Web Client Server ERP Mainframe

Employees

Key Business

Drivers

Increased Cyber

Threats

Burdensome Regulatory

Requirements

Operational Complexities

Need to Empower

Employees

Unrelenting Technology

Changes


5

Controls

Security

Risk

Compliance

Traditionally, Oracle ERP project teams are focused on core ERP functionality, prioritizing implementation activities to align with timeline limitations and budget constraints.

This tactical approach commonly results in risk and control compromises not fully appreciated, until after go-live.

Once the ERP solution is live and operational, organizations begin to realize the significance of their oversights and compromises and are forced to initiate post go-live remediation projects to make the necessary corrections. These projects are disruptive, exponentially more expensive and time consuming.

The primary function of our Oracle Risk Consulting practice is to provide experienced resources to proactively assist ERP implementations through a focus on the Securing the ERP principles to help minimize the threat of costly rework after the ERP solution is operational.


6

Securing the ERP

KPMG’s Securing the ERP approach is a 360 degree view of ERP security and controls positioned to help industry leading organizations effectively balance the divergent tasks of empowering ERP business users while simultaneously protecting sensitive data and transactions.

Oracle ERP

Advanced Controls


7

Advanced Controls

Oracle ERP

Advanced Controls

Key Business Drivers

• Revenue leakage • ERP centric business processes complexities and inefficiencies • Fraud and errors • High ERP configuration costs • Complex regulatory compliance requirements • Greater transparency required for sensitive transactions

Key Capabilities for Advanced Controls

• Business Process Controls Framework to organize manual controls, ERP application controls and automated controls

• Preventative Controls to mitigate process risks • Detective Controls to monitor sensitive transactions and data changes • Configuration Controls to track/monitor configuration changes and

compare Oracle ERP instances • Conversion & Interface Controls • Fine grain Segregation of Duties

Realized Value

• Automated controls • Effective configuration management program • Effective regulatory compliance program


8

Application Security

Oracle ERP


• Employees access to ERP applications • Sensitive ERP transactions and data • Fraud and error • Complex regulatory compliance requirements

Key Capabilities for Application Security

• Authentication : Oracle ERP authentication/single sign-on • Role Based Access Controls (RBAC) based on specific job functions • Access Permissions Architecture based on specific requirements such

as job role or geographic location • Function Security restricts user access to individual menus of ERP

functions, such as forms, HTML pages, or widgets • Data Security to restrict the access to the individual data that is shown

once a user has selected a menu or menu option. • Operational Segregation of duties(SOD) framework

Realized Value

• Enabled ERP users aligned with job functions • Reduced user administration costs • Effective regulatory compliance program


9

Data and Infrastructure

Data & InfrastructureSecurity

Oracle ERP


• External threats • Internal threats • Technology vulnerabilities • Complex regulatory compliance requirements • High availability

Key Capabilities for Data & Infrastructure

• Information protection to protect data at rest and data at motion, database security, data masking , vulnerability management

• Infrastructure Security harden operating system and hardware • Cyber Security program to minimize the impact of cyber security

attacks by proactively monitoring transactions & leveraging an incident response program

• Business and Technology Resilience to provide business continuity planning & management, disaster recovery, crisis management, high availability capabilities, performance monitoring

• Privilege user management program to manage administration and system–to-system user accounts

Realized Value

• Effective, risk-based information security program to protect ERP solution

• Effective regulatory compliance program 10© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with

KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

User Access Administration

11

Oracle ERP


• Ongoing user administration and control governance • High user administration and Controls cost • Complex regulatory compliance requirements • Greater need to understand user activities and usage trends

Key Capabilities for User Access Administration • ERP Security Operations and Controls Governance

• Organizational design & operational processes • Policies and procedures • Controls Governance & reporting • ERP Controls enablement and remediation processes • Segregation of Duties process

• User Access Administration Functions and Tools • Registration / Approval • Self Service • Delegation • User Provisioning : Add, Change, Inactive • Password Management • Certification

• User Analytics

Realized Value

• Efficient ERP user administration program • Reduced user administration cost • Effective regulatory compliance program


Securing the ERP Roadmap


12

Securing the ERP

Works ho

Jumpstart Project

Advanced Controls • User Access

Administration

/8 Securing the ERP 'fiialJ Journey

\OJ\ cY

St rate gyt_ Assess 1fXesig'ti1= =~=-1 il_@J Data

Security

~t===--Infrastructure

Security

ERP Project

Roadmap

ERP Project © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

13

Methodology

Our KPMG Securing the ERP framework uses a risk-based phased approach to create more manageable and

measurable engagements. Each phase logically leads to the next phase and leverages work performed in all

prior phases, while managing the project closely with the client in each phase.

Securing the ERP

Application Security Advanced Controls

Data & Infrastructure Security User Access Administration

Securing the ERP Services • Strategy, business requirements and business case development • Facts to Value current state assessments • Oracle ERP Security and Advanced Controls design and

implementation • Automated Controls implementation – Preventative & Detective

• User Access Administration design and operational realization • Data and Infrastructure security design an implementation • Configuration controls implementation


14


15

Methodology

“ ”

Plan Design Build Implement Monitor

Advanced Controls

Application Security

Data & Infrastructure

Security


Securing the ERP Strategy

Current State Assessment

Securing the ERP

Project Plan

EBS Application Security Design

Update User Administration

Program

Risk & Controls

Matrix Review & Update

Manual Controls Design

EBS Controls Design

Oracle Advanced Controls Design

EBS Data Security Design

RBAC Design

SOD Design

EBS Infrastructure security Design

Build & Validate EBS Roles &

Responsibilities

EBS Configuration

OAC Install & Configuration

Build Data Security Architecture

Build Infrastructure Security Architecture

Convert & Validate Test

Users

Execute User Administration

Program

Review User Administration Program

SOD Review Users

Testing Cycles Validate Process

Controls

Convert & Validate End

Users

SOD Review Permission

Testing Cycle Validate Data & Infrastructure

Testing Cycles ERP Application Security

Blue Sky Strategy

Workshop

KPMG Security and Controls Practice


16

Practice Overview

Oracle Our KPMG brings a depth and breadth of security and controls expertise to today’s ERP security challenges. Security & Controls resources know the business advantages of a well-managed ERP system, and they know how to implement the right security & control solutions in a given context to not just foster a company’s growth and efficiency, but help ensure that its assets and data are protected.

KPMG’s Oracle Security & Controls Practice Highlights

20 years of Oracle security and controls experience

Global delivery team with 100+ Oracle security & controls resources

Oracle Security & Controls implementations have included EBS, PeopleSoft, and integrations with Siebel, Hyperion, BRM , PIM, and OIM

100+ Securing the ERP engagements delivered by the team members

Long standing relationships with Oracle Advanced Controls product development, and product support organization

Thought Leadership Profit Magazine Securing the ERP Interview August 2014

Real-Life Examples: Oracle Advanced Controls (OAC) Benefits in Oracle EBSR12 Upgrades/Implementations March 2014

Record to Report (R2R) White Paper April 2014


17

Tools and Accelerators

Securing the ERP Methodology Risk & Controls Catalog

Implementation Tools & Accelerators

Deliverable Process Analysis Templates Flowcharts Tools

Role Designer Role Uploader


18

Securing the ERP Maturity Model


19

Maturity Model

Securing the ERP Maturity Model Individual Defined user RBAC UMX - User Identity

Security User Permission Approach

request and approval process

Single Sign-on

HR position based permissions

self service

Adaptive authentication

integration

Level Initial Repeatable Defined Managed Optimized 1 2 3 4 5

Ad Hoc Reactive -----------------------Automated---------------------

Manual ERP Automated Detective Control driven Controls configurable SOD Controls Business

controls management Preventative Process Controls No SOD Controls Optimization Controls matrix Configuration

controls © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

20

Client Use Case Examples


21

Client Use Case Examples

Oracle ERP Application Security Business Driver: The client was in the middle of an R12 Upgrade when leadership became aware of a significant user access issue. Specifically, the organization had a limited understanding of which employees had access to critical transactions. ERP Users: 6,500 Responsibilities: 4,873

Solution: KPMG leveraged our Securing the ERP – Role Based Access controls design accelerators to standardize functional roles and help our client realign user access to better enable the business processes. ERP Users: 6,500 Responsibilities: < 500 Oracle

ERP


22

Client Use Case Example

Oracle ERP Application Security Employee HR Position Role Responsibilities

Job Position

Role

Role

Role


23

Use Case Example


Business Driver: The client’s user management processes were inadequately supporting the user community. Client leadership was concerned with their auditor feedback related to user administration, certification and segregation of duties.

Solution: Leveraged Oracle Identity Management products to streamline user management and automate the certification processes. In addition, the solution integrated Oracle Identity Management products with Oracle Advanced Controls – AACG to address SOD challenges.

Oracle ERP


24



Certification


25


Order to Cash Scrap Controls

Business Driver: To support a business process improvement initiative the client’s leadership wanted greater transparency of their order to cash processes. Specifically, leadership wanted to make the reason code mandatory when scrap transactions where processed by the business.

Oracle ERP

Advanced Controls

Solution: Leverage Oracle Advanced Controls – Preventative Controls Governor to make the reason code mandatory. Standard Oracle EBS functionality does not require this.


26


Order to Cash Scrap Controls Standard functionality of Miscellaneous Transactions form: “Reason” field optional.


27


Order to Cash Scrap Controls Leveraged Oracle Advanced Controls – Preventative Controls Governor to make this field required.


28

Facts to Value


29

.

Facts 2 Value

KPMG: Facts 2 Value A data analytics solution that is positioned to help our clients to identify irregularities and opportunities for improving efficiency and effectiveness in ERP operational and financial processes.

Risk & Control Focus Process Improvement Cost Savings

Improving audits ■ Full volume testing vs. sampling ■ Using transactional data for testing application

controls ■ Central testing of automated controls

Improving risk management ■ Identify problem areas in processes ■ Focus on issues instead of generic risks

Improving internal control ■ Determine customized control settings ■ Verify master data reliability ■ Scan authorizations including actual usage ■ Identify key areas for control improvement

Process effectiveness ■ Full insight into actual flows (buckets) including

number of documents and value

Process efficiency ■ Insight into document processing time ■ Number and value of parked and blocked

documents

Benchmarking ■ Internal between e.g. Organizations ■ External with anonymous industry data

Project reviews ■ Pre-go-live scans ■ Post-implementation reviews

Working capital ■ Days sales outstanding ■ Evaluation of rebate agreements ■ Days payables outstanding ■ Evaluation of payment terms ■ Stock analyses (dead, safety, etc.) ■ Interest earnings ■ Asset analyses

Tax improvements ■ Used tax determination scenarios ■ Inaccurate use of tax code derivations ■ Possible tax savings (reduce possible fines, apply

lower tax schemes)


30

Facts 2 Value

Business Process Controls Area of Focus Purchase to Pay

• Possible duplicate vendor invoices

• Display actual usage of 3-way match invoices

• Detect parked or held incoming logistic invoices

• Display use of invoice verification tolerance limits

• Display all changes to vendor master data

• Display outstanding parked invoices

• Detect goods receipt without a purchase order

• Display actual usage of 2-way and 3-way match invoices

• Detect incomplete foreign trade data for vendors

• Display incomplete vendor master data

Order to Cash

• Detect blocked sales orders

• Detect invoices in Sales but not processed in Finance

• Sales orders delivered but not yet invoiced

• Display customers with exceeded credit limits

• Detect incomplete foreign trade data for customers

• Detect customers without credit limit

• Detect deliveries without goods issue

• Display all changes to customer bank account data

• Overview of created credit notes

• Detect incomplete customer master data

Order to Cash

• Days Sales Outstanding

• DSO per customer

• DSO per country

• Early/late payments

• Used payment terms

• Frequency of invoicing

• Credit memo / invoice ratio

• Customer consignment orders

• Orders per user

• Invoices per user

• Frequency of dunning

• Used payment methods

• Contract compliance

• Order cancellations


31

Facts 2 Value

Business Process Controls Area of Focus Purchase to Pay

• Days Payable Outstanding

• DPO per vendor

• DPO per country

• Early/late payments

• Used payment terms

• TAX reclaim analysis

• Contract compliance

• Orders per user

• Invoices per user

• Vendor return orders

• One-time vendor payments

• Vendor consignment orders

• Early payment rebates

• Frequency of invoicing

Finance to Report

• Detect GL accounts allowed for manual postings

• Changes to GL account settings

• Display all changes to asset master data

• Display all open posting periods

• Display all open items per GL account

• Detect all FI postings not processed

• Detect unposted assets

• Manual customer payments

• Manual vendor payments

• Reconciliation Finance-Manufacturing

Inventory Management

• Days Inventory Outstanding

• DIO per plant

• DIO per customer

• Material movement analysis – raw materials

• Material movement analysis – finished products

• Safety stock analysis – minimum stock levels

• Safety stock analysis – delivery reliability

• Vendor delivery quantity reliability

• Vendor delivery time reliability

• Quality lead time analysis – raw materials

• Quality lead time analysis – finished products

• Dead stock analysis


32

Facts 2 Value

Business Process Controls Area of Focus - HR Personnel Master Data

• Non-registered staff using actions

• Duplicate employee data

• Employees with no addresses

• Incomplete personnel members

• Duplicate personnel members

• Employees with multiple Oracle ERP account names

• Active employees without an Oracle-user

• Manual change of the contract without changes in leave

• Manual changes of leave without a contract change

• Personnel with a contract but not in the organization chart

Employment & Absence

• Temporary employments

• Overtime for specific functions

• Untimely sickness reporting

• Untimely or incorrect registration of leave

Time Reporting

• More than 8 hours a day

• More than 40 hours a week

• Total hours per week

• Timeliness of timesheet entering

• Timeliness of timesheet approval

• Hours not yet approved

• Hours booked per week

• Hours transferred to other project or WBS element

• Hours entered and approved

• Approve own hours

Benefits & Salary

• Additional payments (wages) inconveniences

• Requested move expenses without address change

• Work at home costs without changed commuting compensation

• Ratio variable and fixed income

• Changes in salaries

• Changed own salary


33

Facts 2 Value

Business Process Controls – Purchase to Pay Visualization


Purchase order

Manually controlled process

System controlled process

Processed Orders with receipt

$ 554m

163,882 orders

Open / parked documents Open orders (> 3 months)

Not analyzed

Legend

without receipt $ 283m

475,710 orders

Receipt

Processed Receipts

$ 559m

669,532 receipts

Processed Receipts

Receipts without orders $ 0 0 receipts

Payment (AP) (inc. VAT)

Invoice (inc. VAT)

Open AP Items

$ 185m (193,636 items) Due for payment:

0 – 60 days: $ 183m (192,066) 60 – 121 days: $ 590k (620) >120 days: $ 1.8m (950)

Processed AP Items Regular AP payments

(payment run)

$ 772m 58,111 items

Manual AP payments

$ 3m 267 items

Other AP postings

Not analyzed

Processed Invoices 3-way match invoices

$ 499m (48%) 331,426 invoices (34%)

2-way match invoices $ 248m (24%) 450,440 invoices (46%)

Direct invoices (without PO) $ 296m (28%) 189,699 invoices (20%)

Processed Credit Memos Credit memos

$ 98m (9%)

14,576 credit memos

Invoices not processed in AP $ 1m

695 invoices

Manual release $ 312m (63%)

135,009 invoices

Matched $ 187m (37%)

196,417 invoices


76,881 invoices

Matched $ 208m (84%)

373,559 invoices


47,105 invoices

Auto. release $ 231m (78%)

142,594 invoices

Possible duplicate invoices $ 0 0 invoices

34

Securing the ERP Workshop


35

© 2016 KPMG LLP a Delaware limited liabili artnershi and the U.S. member firm of the KPMG network of inde endent member firms affiliated with

36


Review KPMG’s Securing the ERP areas of focus and understand how this program can be used to strategically Goal

align Oracle ERP Security & Controls related spend and operational priorities

9:00 to 11am

Review Securing the ERP Areas of Focus - Controls Enabled Business Process Optimization and Performance Analytics - ERP Advanced Controls (Automated, Detective, User, Configuration) - ERP Application Security (Users, Permissions, Role Based Access Controls , SOD) - User Access Administration (User Operations, Business Processes & Analytics) - Data & Infrastructure Security ( Data in Motion/Data at Rest, Cyber Risk,…)

Agenda 11:00 to 12 noon Lunch and Real-Life Example / Use Case Discussion

Strategy & Planning Deep Dive

- Strategic Planning Considerations

1:00 to 3pm - Prioritization & Budgeting

- Current State – “White Board” Assessment

- Strategic Roadmap Deep Dive – 24 Month

- Current State “White Board “Assessment Output

- Prioritized Strategic Roadmap , ty p p p

KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.



Director of

Internal

Audit

Chief

Information

Officer

Finance

Chief

Risk

Officer

Controls

Leader

Chief

Information

Security

Officer

ERP Project

Leader

Human

Resources

37

Laeeq Ahmed [email protected]

(818) 227 6032

Brian Jensen [email protected]

(817) 946 9552


The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

https://www.facebook.com/KPMGUS

https://www.facebook.com/KPMGUS

http://www.linkedin.com/company/kpmg-us

http://www.linkedin.com/company/kpmg-us

http://twitter.com/kpmg_us

http://twitter.com/kpmg_us

http://www.youtube.com/user/KPMGMediaChannel

http://www.youtube.com/user/KPMGMediaChannel

mailto:[email protected]

mailto:[email protected]

Securing the ERP Overview: Is Your ERP Safe? - KPMG · Empower Employees Unrelenting ... Each phase...

Documents

Transcript of Securing the ERP Overview: Is Your ERP Safe? - KPMG · Empower Employees Unrelenting ... Each phase...